private static AuthHandle EstablishOIAP(TPMWrapper tpm)
{
ILog log = LogManager.GetLogger("EstablishOIAP");
for (int i = 0; i < 2; i++)
{
TPMCommandRequest request = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OIAP, new Parameters());
TPMCommandResponse response = tpm.Process(request);
AuthHandle myAuthHandle = response.Parameters.GetValueOf <AuthHandle> ("auth_handle");
// Parameters parameters = new Parameters ();
// parameters.AddValue ("handle", myAuthHandle);
// TPMCommandRequest requestFlush = new TPMCommandRequest (TPMCommandNames.TPM_CMD_FLUSH_SPECIFIC, parameters);
// tpm.Process (requestFlush);
//return myAuthHandle;
}
Parameters listHandlesParameters = new Parameters();
listHandlesParameters.AddPrimitiveType("capArea", CapabilityData.TPMCapabilityArea.TPM_CAP_HANDLE);
listHandlesParameters.AddPrimitiveType("handle_type", TPMResourceType.TPM_RT_AUTH);
TPMCommandRequest listHandlesRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_GetCapability, listHandlesParameters);
TPMCommandResponse listHandlesResponse = tpm.Process(listHandlesRequest);
HandleList loadedKeyHandles = listHandlesResponse.Parameters.GetValueOf <HandleList> ("handles");
return(null);
}
public void LoadAuthHandle(AuthHandle authHandle)
{
using (new LockContext(_authHandles, "AuthHandleManager::LoadAuthHandle"))
{
List <AuthHandleItem> myAuthHandles = _authHandles.FindAuthHandles(AuthHandleItem.AuthHandleStatus.SwappedOut);
_logger.DebugFormat("LoadAuthHandle: #{0}", myAuthHandles.Count);
foreach (AuthHandleItem handleItem in myAuthHandles)
{
_logger.DebugFormat("LoadAuthHandles: Found auth handle {0} with status {1}", handleItem.AuthHandle, handleItem.Status);
if (handleItem.AuthHandle == authHandle &&
handleItem.Status != AuthHandleItem.AuthHandleStatus.SwappedIn)
{
//If we have an OSAP auth handle, make sure that the corresponding resource is loaded
AuthSessionNum authSession = handleItem.AssociatedCommand.Value.Key;
IAuthorizableCommand cmd = handleItem.AssociatedCommand.Value.Value;
KeyHandle newKeyHandle;
if (cmd.GetEntityType(authSession) == TPMEntityTypeLSB.TPM_ET_KEYHANDLE && cmd.GetHandle(authSession) != KeyHandle.KEY_SRK)
{
cmd.KeyManager.LoadKey(cmd.GetHandle(authSession));
newKeyHandle = cmd.KeyManager.IdentifierToHandle(cmd.GetHandle(authSession));
if (handleItem.AuthHandle.EntityValue != newKeyHandle.Handle)
{
throw new ArgumentException(string.Format("OSAP with entity type={0}, entity value={1} could not be restored", handleItem.AuthHandle.EntityType, handleItem.AuthHandle.EntityValue));
}
}
SwapIn(handleItem);
_logger.DebugFormat("LoadAuthHandles: Swapped in {0}", handleItem.AuthHandle);
}
}
}
}
private AuthHandleItem FindAuthHandleItem(AuthHandle authHandle)
{
foreach (AuthHandleItem item in _authHandles)
{
if (item.AuthHandle == authHandle)
{
return(item);
}
}
return(null);
}
protected override TPMCommandResponse InternalProcess()
{
// Unencrypted authorization values, they need to be XOR-Encrypted with
// XOR(auth, SHA-1(OSAP shared secret | session nonce))
//
// OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap)
AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1);
_encAuth = _params.GetValueOf <byte[]> ("data_auth");
byte[] xorKey = new HashProvider().Hash(
new HashByteDataProvider(auth1OSAP.SharedSecret),
new HashByteDataProvider(auth1OSAP.NonceEven));
ByteHelper.XORBytes(_encAuth, xorKey);
//Load parent key if not loaded
_keyManager.LoadKey(_params.GetValueOf <string>("key"));
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_Seal);
//key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_encAuth, 0, 20);
TPMBlobWriteableHelper.WriteITPMBlobWritableWithUIntSize(requestBlob, _pcrInfo);
requestBlob.WriteUInt32((uint)_inData.Length);
requestBlob.Write(_inData, 0, _inData.Length);
AuthorizeMe(requestBlob);
using (_keyManager.AcquireLock())
{
requestBlob.SkipHeader();
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("key")).Handle);
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMStoredDataCore sealedData = TPMStoredDataCore.CreateFromTPMBlob(_responseBlob);
Parameters responseParams = new Parameters();
responseParams.AddPrimitiveType("data", ByteHelper.SerializeToBytes(sealedData));
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_Seal, responseParams));
}
public void RemoveAuthHandles(IAuthorizableCommand cmd, AuthHandle authHandle)
{
using (new LockContext(_authHandles, "AuthHandleManager::RemoveAuthHandles2"))
{
AuthHandleItem item = FindAuthHandleItem(authHandle);
if (item == null)
{
return;
}
if (item.AssociatedCommand != null && item.AssociatedCommand.Value.Value == cmd)
{
InternalRemoveAuthHandle(item);
}
else
{
return;
}
}
}
protected override TPMCommandResponse InternalProcess()
{
AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1);
byte[] xorKey = new HashProvider().Hash(
new HashByteDataProvider(auth1OSAP.SharedSecret),
new HashByteDataProvider(auth1OSAP.NonceEven));
ByteHelper.XORBytes(_secret, xorKey);
if (_secret.Length != 20)
{
throw new ArgumentException("secret needs to be 20 bytes long (SHA1 hash)");
}
if (_label.Length != 4)
{
throw new ArgumentException("Label needs to be 4 bytes long");
}
using (TPMBlob requestBlob = new TPMBlob())
{
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateCounter);
requestBlob.Write(_secret, 0, 20);
requestBlob.Write(_label, 0, 4);
_responseBlob = AuthorizeMeAndTransmit(requestBlob);
}
_responseBlob.SkipHeader();
_responseParameters = new Parameters();
_responseParameters.AddPrimitiveType("counter_id", _responseBlob.ReadUInt32());
_responseParameters.AddValue("counter_value", TPMCounterValueCore.CreateFromTPMBlob(_responseBlob));
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateCounter, _responseParameters));
}
public void RemoveAuthorizationHandle(IAuthorizableCommand cmd, AuthHandle handle)
{
_tpmContext.AuthHandleManager.RemoveAuthHandles(cmd, handle);
}
public void DestroyAuthorizationHandle(IAuthorizableCommand cmd, AuthHandle handle)
{
_tpmContext.AuthHandleManager.DestroyAuthHandles(cmd, handle);
}
protected override TPMCommandResponse InternalProcess()
{
// Unencrypted authorization values, they need to be XOR-Encrypted with
// XOR(auth, SHA-1(OSAP shared secret | session nonce))
//
// OSAP_shared_secret = HMAC(key=usage secret of key handle, nonce even osap | nonce odd osap)
AuthHandle auth1OSAP = _commandAuthHelper.AssureOSAPSharedSecret(this, AuthSessionNum.Auth1);
_usageAuth = _params.GetValueOf <byte[]> ("usage_auth");
_migrationAuth = _params.GetValueOf <byte[]> ("migration_auth");
byte[] xorKey = new HashProvider().Hash(
new HashByteDataProvider(auth1OSAP.SharedSecret),
new HashByteDataProvider(auth1OSAP.NonceEven));
ByteHelper.XORBytes(_usageAuth, xorKey);
ByteHelper.XORBytes(_migrationAuth, xorKey);
//Load parent key if not loaded
_keyManager.LoadKey(_params.GetValueOf <string>("parent"));
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_AUTH1_COMMAND, TPMOrdinals.TPM_ORD_CreateWrapKey);
//parent key handle gets inserted later, it may be not available now
requestBlob.WriteUInt32(0);
requestBlob.Write(_usageAuth, 0, 20);
requestBlob.Write(_migrationAuth, 0, 20);
_tpmKey.WriteToTpmBlob(requestBlob);
using (_keyManager.AcquireLock())
{
AuthorizeMe(requestBlob);
requestBlob.SkipHeader();
if (_params.GetValueOf <string>("parent") == KeyHandle.KEY_SRK)
{
requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK);
}
else
{
requestBlob.WriteUInt32(_keyManager.IdentifierToHandle(_params.GetValueOf <string>("parent")).Handle);
}
_responseBlob = TransmitMe(requestBlob);
}
CheckResponseAuthInfo();
_responseBlob.SkipHeader();
TPMKeyCore newKey = new TPMKeyCore(_responseBlob);
_responseParameters = new Parameters();
//Build and save the key identifier
//The key identifier is the hex-string representation of the hash of the newly created key
_responseParameters.AddPrimitiveType("key_identifier",
ByteHelper.ByteArrayToHexString(
new HashProvider().Hash(
new HashByteDataProvider(
ByteHelper.SerializeToBytes(newKey)
)
),
""));
_responseParameters.AddPrimitiveType("key_data", ByteHelper.SerializeToBytes(newKey));
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_CreateWrapKey, _responseParameters));
}
public AuthHandleItem(AuthHandle authHandle, AuthHandleStatus status)
{
_authHandle = authHandle;
_status = status;
}
private AuthHandleItem CreateAuthHandle(IAuthorizableCommand cmd, AuthSessionNum authSession)
{
if (cmd.SupportsAuthType(AuthHandle.AuthType.OIAP))
{
TPMCommandRequest oiapRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OIAP, new Parameters());
TPMCommandResponse oiapResponse = _tpmContext.TPM.Process(oiapRequest, cmd.CommandAuthHelper, cmd.KeyManager);
if (oiapResponse.Status == false)
{
throw new TPMRequestException("Unknown error while creating oiap auth handle");
}
AuthHandle newAuthHandle = oiapResponse.Parameters.GetValueOf <AuthHandle>("auth_handle");
AuthHandleItem authHandleItem = new AuthHandleItem(newAuthHandle, AuthHandleItem.AuthHandleStatus.SwappedIn);
authHandleItem.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd);
using (new LockContext(_authHandles, "CreateAuthHandle OIAP"))
{
_authHandles.AddAuthHandle(authHandleItem);
AddNewItem(authHandleItem);
}
return(authHandleItem);
}
else if (cmd.SupportsAuthType(AuthHandle.AuthType.OSAP))
{
Parameters parameters = new Parameters();
parameters.AddPrimitiveType("entity_msb", TPMEntityTypeMSB.TPM_ET_XOR);
parameters.AddPrimitiveType("entity_lsb", cmd.GetEntityType(authSession));
string identifier = cmd.GetHandle(authSession);
if (identifier == null)
{
throw new TPMRequestException("Missing entity value for OSAP session");
}
parameters.AddPrimitiveType("entity_value", identifier);
TPMCommandRequest osapRequest = new TPMCommandRequest(TPMCommandNames.TPM_CMD_OSAP, parameters);
TPMCommandResponse osapResponse = _tpmContext.TPM.Process(osapRequest, cmd.CommandAuthHelper, cmd.KeyManager);
if (osapResponse.Status == false)
{
throw new TPMRequestException("Unknown error while creating osap auth handle");
}
AuthHandle newAuthHandle = osapResponse.Parameters.GetValueOf <AuthHandle>("auth_handle");
AuthHandleItem authHandleItem = new AuthHandleItem(newAuthHandle, AuthHandleItem.AuthHandleStatus.SwappedIn);
authHandleItem.AssociatedCommand = new KeyValuePair <AuthSessionNum, IAuthorizableCommand>(authSession, cmd);
using (new LockContext(_authHandles, "CreateAuthHandle OSAP"))
{
_authHandles.AddAuthHandle(authHandleItem);
AddNewItem(authHandleItem);
}
return(authHandleItem);
}
else
{
throw new NotSupportedException("Command does not support a suitable AuthType");
}
}
public override TPMCommandResponse Process()
{
TPMEntityTypeLSB entityLSB = _params.GetValueOf <TPMEntityTypeLSB>("entity_lsb");
TPMEntityTypeMSB entityMSB = _params.GetValueOf <TPMEntityTypeMSB>("entity_msb");
string identifier = _params.GetValueOf <string>("entity_value");
if (entityLSB != TPMEntityTypeLSB.TPM_ET_KEYHANDLE &&
entityLSB != TPMEntityTypeLSB.TPM_ET_SRK &&
entityLSB != TPMEntityTypeLSB.TPM_ET_OWNER)
{
throw new ArgumentException("TPM_OSAP does currently not support entityType: " + entityLSB.ToString());
}
if (entityMSB != TPMEntityTypeMSB.TPM_ET_XOR)
{
throw new ArgumentException(string.Format("TPM_OSAP does currently not support '{0}' EncAuth encryption", entityMSB));
}
if (entityLSB == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
entityLSB == TPMEntityTypeLSB.TPM_ET_SRK)
{
//We now know that the current identifier is a key identifier (maybe srk, but then the value is ignored by TPM_OSAP).
//So we invoke the key manager to load the key with the specified identifier and establish an OSAP session
_keyManager.LoadKey(identifier);
}
//handle is not known yet
AuthHandle authHandle = new AuthHandle(AuthHandle.AuthType.OSAP, 0);
authHandle.EntityType = entityLSB;
authHandle.NewNonceOddOSAP();
using (_keyManager.AcquireLock())
{
TPMBlob requestBlob = new TPMBlob();
requestBlob.WriteCmdHeader(TPMCmdTags.TPM_TAG_RQU_COMMAND, TPMOrdinals.TPM_ORD_OSAP);
requestBlob.WriteUInt16((ushort)(((ushort)entityMSB << 8) | (ushort)entityLSB));
if (entityLSB == TPMEntityTypeLSB.TPM_ET_KEYHANDLE ||
entityLSB == TPMEntityTypeLSB.TPM_ET_SRK)
{
if (identifier == KeyHandle.KEY_SRK)
{
requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_SRK);
authHandle.EntityValue = (uint)TPMKeyHandles.TPM_KH_SRK;
}
else
{
KeyHandle keyHandle = _keyManager.IdentifierToHandle(identifier);
requestBlob.WriteUInt32(keyHandle.Handle);
authHandle.EntityValue = keyHandle.Handle;
}
}
else if (entityLSB == TPMEntityTypeLSB.TPM_ET_OWNER)
{
requestBlob.WriteUInt32((uint)TPMKeyHandles.TPM_KH_OWNER);
authHandle.EntityValue = (uint)TPMKeyHandles.TPM_KH_OWNER;
}
requestBlob.Write(authHandle.NonceOddOSAP, 0, authHandle.NonceOddOSAP.Length);
requestBlob.WriteCmdSize();
_commandAuthHelper.EnsureFreeSlot();
_responseBlob = TransmitMe(requestBlob);
}
_responseBlob.SkipHeader();
AuthHandleCore receivedAuthHandle = new AuthHandleCore(AuthHandle.AuthType.OSAP, _responseBlob);
authHandle.UpdateFromOtherAuthHandle(receivedAuthHandle);
_responseParameters = new Parameters();
_responseParameters.AddValue("auth_handle", authHandle);
return(new TPMCommandResponse(true, TPMCommandNames.TPM_CMD_OSAP, _responseParameters));
}
